Audit RDP Port Change Event

Steps to Audit RDP Port Change (Registry):

Enable Audit Policy

• Open Local Security Policy:

  • Press Win + R, type secpol.msc, and press Enter.

• Navigate to:

• Double-click Audit Registry.

• Check Success and/or Failure depending on what you want to track.

• Click Apply → OK.

Security Settings → Advanced Audit Policy Configuration → Object Access 

1. Enable GPO Audit Settings:

• Open gpedit.msc (or use GPMC for domain).

• Go to: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access

• Enable:

  • Audit Registry → Success and Failure

2. Set auditing on the specific registry key:

• Open regedit.

• Go to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber

• Right-click PortNumber → Permissions → Advanced → Auditing tab → Add:

  • Choose Principal (e.g., Everyone or Authenticated Users)

  • Choose Success for Set Value and Write

3. Check Event Viewer:

• Go to Security logs.

• Look for Event ID 4657 (A registry value was modified).

• It will show:

  • Who made the change (user ID)

  • What key was changed

  • Original and new values

gpupdate /force